We have an old windows server that has special legacy application on it but our security team wants that server locked down , i.e. Users can connect to it via telnet, ssh, RDP, etc....but that this server itself cannot connect to other servers and can't go out to the internet. We have tried playing with the windows firewall which meets some of the security needs but we still have to lock it down on the network level, so that if someone gets hold of the admin account PW, they can disable the windows firewall but still can't connect to the outside world.
I have tried using cisco VACL (we are using Version 12.2(52)SE, and my relevant VACL statements are as follows:
ip access-list extended any_to_HC
permit ip any host 192.168.1.2
permit icmp any host 192.168.1.2
ip access-list extended HC_to_any
permit ip host 192.168.1.2 any
permit icmp host 192.168.1.2 any
vlan access-map VACL_isolate_HC 10
match ip address HC_to_any
vlan access-map VACL_isolate_HC 20
match ip address any_to_HC
vlan filter VACL_isolate_HC vlan-list 1010
The server is sitting on this VLAN 1010. What I noticed though is that it looks like VACL cannot *sense* established connections so that if you are trying to connect to it or even ping it, even though perhaps inbound packets to the server are allowed, the VACL automatically blocks outgoing?
I also tried modifying the relevant access list clauses above to read:
permit tcp host 192.168.1.2 any established
but it didn't have the desired effect
...would appreciate any suggestions on how my requirements can be achieved.